Professional Documents
Culture Documents
Top 10 Steps To Hardening Linux Systems
Top 10 Steps To Hardening Linux Systems
Top 10 Steps To Hardening Linux Systems
Sponsored by
Top 10 Steps to
Hardening Linux
Systems
Made possible by
Thanks to
1
10/16/2018
In scope
File systems
Boot security
Firewall
Services
Time synch
Preview of Key File perms
Points
Accounts and authentication
Ssh
Out of scope for today
Audtd and logging in general
Selinux and mandatory access control
File integrity monitoring
Sudo
Patching
https://www.cisecurity.org/cis-benchmarks/
2
10/16/2018
3
10/16/2018
Host-based
What does your distro and version support?
Firewall Ipchains
Iptables
firewalld
Overwhelmed? At least
checkout using TCP
Wrappers
4
10/16/2018
permissions /etc/group-
Uid and Gid are both 0/root and access is 640 or more restrictive
/etc/shadow
/etc/gshadow
/etc/gshadow-
stat /etc/passwd
Use chown to fix owner
Use chmod to fix perms
5
10/16/2018
Bootloader file
/boot/grub/menu.lst
/boot/grub2
File system Additional checks
permissions No world writable files
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm
-0002
No unowned files or directories
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser
No ungrouped files or directories
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup
Check SUID files
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm
-4000
6
10/16/2018
7
10/16/2018
Secure Shell
Disable v1 of protocol
Don’t allow forwarding
(ssh) Limit network accessibility via firewall
Disable host based authentication
HostbasedAuthentication
PermitEmptyPasswords no
PermitUserEnvironment no
SSH Idle Timeout Interval
ClientAliveInterval, ClientAliveCountMax
LoginGraceTime
Which users?
AllowUsers, AllowGroups, DenyGroups
It’s a hard truth, you’ll never be able to fully secure every system in
your environment. You need to focus on fixing what attackers are
actually taking advantage of in the wild. And that’s where our sponsor,
Rapid7, comes in. Justin Buchanan will briefly show you how InsightVM
Bottom line helps you gain complete visibility of all of your Linux systems (Do you
know all of the Linux systems in your environment?), prioritize the
vulnerabilities to focus on, and break down the silos between your
security team and IT team to drive remediation.
So here’s what you need to do
Even know all your *nix systems, what distro, version?
8
10/16/2018
THE RAPID7
INSIGHT
PLATFORM
Vulnerability Assessment
9
10/16/2018
vv
COLLECT
Continuously identify and assess
risk across your cloud, virtual,
remote, local, and containerized
infrastructure.
10
10/16/2018
PRIORITIZE
Leverage unparalleled attacker
analytics to prioritize vulns more
precisely with a Real Risk score
that goes beyond just CVSS.
REMEDIATE
Break down the silos between IT,
security, and development by
automating remediation and
containment.
11
10/16/2018
12